SecureView & XenClient XT Security. Dr. Ryan Durante Chief, Cross Domains Solutions & innovation AFRL/RIEB

SecureView & XenClient XT Security Dr. Ryan Durante Chief, Cross Domains Solutions & innovation AFRL/RIEB AFMC PA Case Number: AFMC-2011-0166 The material was assigned a clearance of CLEARED on 01 Sep 2011

Overview The Problem Background Solution Xen Background Programmatics SecureView 2.0 Xen Client XT Deep Dive Summary POCs 2 2

The Problem The Problem Uncertainty using untrusted software and hardware components in commercial and military computer systems for networked forces to maintain mission operations in high threat contested cyber environments Current State: DoD/IC missions & systems reliant on COTS IT management assumes inherent trust of networked systems Most components are developed in foreign countries Mistaken faith that compromised devices would be identified by Intrusion Detection Systems or AV The Solution Must Balance security, performance, and affordability Be flexible to include multi-platform and multi-mission support Be simple Increase the trust in computing on untrusted systems Maintain operations in a contested cyber environment 3 3

Requirements Require highest levels of Security, Isolation, Auditability Need access to multiple partner computing environments Each environment needs a segregated network Heavy duty workloads 4 4

SecureView Background AFRL requested to develop a secure MLS workstation by the DoD/IC. Zero tolerance for data exfiltration No split tunneling No print screen Malware resilient No third party screen scraping/key logging Minimal impact to host agency Rapid provisioning (4 hours) 5 5

The Solution Over a dozen different solutions were analysed over a six month period. A Type 1 client hypervisor architecture was selected. Based on Citrix s Xen Client Plus some GOTS enhancements SecureView is the name of the government program that utilizes XenClient XT as the basis for a multi level workstation. 6 6

SecureView (Login Screen) 7 7

The Partnership AFRL, Intel and Citrix kicked off a partnership in early 2010. Citrix & Intel have provided the government an unprecedented level of cooperation. Change requests are often turned around in a matter of days and weeks, not months and years. NSA CSS has provided steering, guidance, reference implementations NSA I773 provided testing resources. 8 8

What is XenClient? Local VM Desktop Local VM Desktop Citrix XenClient X86 Hardware Type 1 hypervisor: High performance because it runs on bare metal Built on 64-bit open source Xen technology Runs multiple virtual desktops simultaneously Hardware independent VMs Service VM Architecture for extensibility 9 9

Why the Xen Hypervisor? Enterprise and Cloud proven Mature market proven Xen virtualization engine Battle tested in large clouds and datacenters The Xen.org Open Source Development Community: Hundreds of developers, Companies, Universities and other orgs More than 25,000 code submissions in Xen 4.0 Reliability, security, performance, with full enterprise feature-set >85% of the Public Infrastructure Cloud runs on Xen Thin, Open Source, Inspected Thin hypervisor minimizes trusted codebase Thriving security community Open to inspection 10 10

Client Hypervisor Benefits Security, Manageability, Attestability and Supportability Runs multiple independent VMs with policy controlled information flow Enables Multiple Independent Levels of Security systems Enables out-of-band management & policy enforcement Control removable media access, image update, backup, attestation Thick or Thin mode of operation 11 11

SecureView Government Industry Collaboration 12 12

Modifications from XC to XCXT DRTM of hypervisor and dom0 (measured launch) Platform hardening Disaggregate and de-privilege functionality into dedicated service VMs Moved network stack to a separate service VM Implemented SELinux in dom0 and the NDVM with a custom set of SELinux policies Narrow interfaces between components Cross VM mouse control 13 13

Cost XenClient XT MSRP QTY 1 = $499/license Typical Citrix Federal/DoD volume discount = 51-52% Actual cost around $250/license Maintenance = 20% or $50/year 14 14

Supported Platforms As of Jun 2011, the following desktop platforms are supported: Dell Optiplex 980 HP 8100 (Numerous laptops) HCL will be expanded with v2.0 In testing: Dell Optiplex 990 HP 8200 15 15

Program Documentation System Security Plan (SSP) Security Test Plan & Procedures (STP) Master Security Requirements Matrix (MSRTM) Installation & Configuration Guide (ICG) Administrator Guide (AG) User s Guide (UG) Integrated Support Plan (ISP) 16 16

Certification Xen Client XT was favorably evaluated against the new NIST 800-53 Security Controls Catalog for Confidentiality: HIGH Integrity: HIGH Availability: MEDIUM ATO: 25 Aug 2011 17 17

Comparison to other MLS Clients Unprecedented Security via hardware based security features: VT-d, VT-x, EPT, TPM, TXT Can be run on either thick or thin mode Supports robust 3D graphics Relatively Simple architecture Extensive desktop server backend not required but can be leveraged if desired Uses low cost commodity desktop hardware (or laptops) Cost ($250/client) is significantly cheaper than other MLS access solutions Industry Support 18 18

XenClient XT Architecture Deep Dive 19 19

Secure Isolation Maintaining isolation between VMs is priority #1 Essential for Cloud, and for Client Spatial and Temporal isolation Use good software engineering practice Thin hypervisor: minimize code running with privilege (60K- 70K SLOC) Disaggregate and de-privilege functionality into dedicated Service VMs Narrow interfaces between components Hypervisors are simpler than OS s, simpler than OS kernels Use modern high-level languages where possible New hardware technologies help VT-x, VT-d, EPT: reduce software complexity, enhanced protection TPM/TXT: Enable Dynamic Root of Trust 20 20

XenClient Architecture Service VM Control Domain Receiver for XC User VM User VM Xen Client Intel Hardware VT-d VT-x AES-NI 21 21

XenClient XT (SecureView) Architecture XenClient XenClient XT Unique Service VMs Control Domain Receive r for XC Network Isolation VPN Isolation User VM User VM SELinux Policy Granularity Policy Granularity Xen Client XT Xen Security Modules Intel vpro Hardware VT-d VT-x TXT AES-NI 22 22

Platform Hardening NSA s Xen Security Modules XSM-FLASK for Mandatory Access Control Low-level isolation enforcement, fine-grained privilege for Service VMs OpenEmbedded Linux used for platform Service VMs SELinux provides MAC Platform Service VMs: disaggregate and deprivilege Network Driver VMs, User Interface VM Per-VM Device Emulation VMs Compartmentalize complex guest-facing function, reduce to narrow interface Future: Virtual TPM VMs 23 23

Hardware Assisted Security Security rooted in the HW with Intel vpro Trusted boot with Intel Trusted Execution Technology Secure device access with Intel directed I/O virtualization technology Hardware accelerated disk encryption with Intel AES- NI 24

Measured Launch Verify Xen Client installation integrity, prevent offline tampering of installation or configuration state Measured Launch Intel TXT used to establish DRTM, measure Xen Client primary components on every boot Extend measurements to include secondary components Trusted Platform Module PCRs reflect the state and configuration of system All XenClient device configuration state is encrypted Encryption key is sealed by the TPM, only released if PCR values match those expected 25 25

XenClient XT: Trusted Execution Technology Hardening the foundation Power on HW System FW verified by TXT prior to boot Measure Firmware/BIOS TXT HW Hypervisor measured by TXT Measure Hypervisor Hypervisor HW Consult Trusted Platform Module to unseal device encryption key if measurements match Hypervisor HW Launch VMs, OS, etc App App App OS Hypervisor HW App App App OS Verify XenClient integrity, prevent offline tampering of installation or configuration state All XenClient configuration state is encrypted Encryption key is sealed by the TPM, only released if measurements match expected Unable to recover encryption key so boot cannot proceed System lockout. Recovery key required Hypervisor HW 26 26

Enhanced Policy Granularity Wipe on reboot Guest VMs Purge user changes, boot to a known clean VM Persist admin defined settings Local controls without Synchronizer Local disk encryption VM configurations lockdown Enhanced isolation policies Audio, Graphics, USB, Optical Drives Inter VM communication 27 27

Network Architecture Network Driver VM (NDVM) controls physical network devices Wired and Wireless (optional) VT-d IOMMU used to restrict device DMA Provides protection against buggy/malicious drivers or firmware NDVM can be security non-critical: reduces compromise to denial of service Network traffic passing through NDVM already encrypted In-VM VPN (using USB token), or per-vm Service VM implementing VPN NDVM can implement per-vm network restrictions E.g. require all VM traffic to go to a particular VPN endpoint IP to inhibit split tunnelling Bridged or DNAT, VLAN 28 28

XenClient XT: Network Isolation Service VMs Service VMs Require additional system resources Deliver highest levels of isolation Isolated Networking Service VM Device drivers, physical NIC access, and routing Network based attacks don t compromise the control domain VPN Service VMs VPN runs outside user VMs for increased isolation Allows split tunneling to be eliminated Advanced networking policy Access allowed to only approved infrastructure Per VM firewalling and QOS 29 29

IO Device Pass-through vs. Virtualization Pass-through dedicates a device to a particular VM Protection provided by VT-d IOMMU for PCIe devices Requires guest driver for particular device Device virtualization enables devices to be shared between VMs Higher-level model allows device to be multiplexed, hardware abstracted Presented to VMs using device emulation, or para-virtualization for improved performance and code simplicity Different levels possible: controller vs. end device E.g. Virtualize USB host controller, pass-through individual devices 30 30

Hardware Virtualization User VM User VM Control Domain Service VM Xen Hypervisor Audi Audio o Disk AMT NIC GPU USB x86 Hardware TXT TPM 31 31

Hardware Pass-Through Operation User VM User VM Control Domain Service VM Xen Hypervisor Audio Disk AMT NIC GPU USB x86 Hardware TXT TPM 32 32

Input Path Goals Prevent one VM from logging input intended for another VM Prevent injection of key events Full-screen and seamless desktop integration modes Keyboard and Pointer devices always controlled by platform Platform knows which VM is on screen, routes keyboard and mouse events exclusively to that VM Key sequences processed by platform for secure attention, VM switching Support for secure keyboard path even in seamless desktop mode When application window gets focus, keyboard is routed to the respective VM Allows mouse switching to move focus between different display heads 33 33

USB Device Virtualization Goals Provide broad USB device compatibility; good performance Control routing of devices to VMs through policy enforcement Implementation Platform owns USB host controller devices VMs have Xen para-virtual USB host controller When device plugged in, identify it, apply policy, make visible on guest host controller Forward USB messages between real and virtual host controllers Similar approach for SATA optical drives Enables Blu-ray playback, DVD writing, etc. 34 34

GPU Virtualization Ultimate goals of GPU virtualization Support full-performance rendering from multiple VMs Full application compatibility Must retain isolation prevent screen scraping, pixel injection XenClient supports several different graphics architectures Implemented Hybrid virtualized/pass-through GPU Display-side of GPU is virtualized, rendering-side passedthrough to single VM One VM gets 3D performance, others get reduced capability via PV GPU Platform retains control of the GPU s display/output functions We always control which VM is on screen, don t rely on GPUowning VM to be running 35 35

SecureView 2.0 36 36

What s New in 2.0? Major themes: STM Integration Expanded hardware compatibility NSA HAP R2 Compliance Better enterprise management Production scale synchronizer Simplified user experience 37 37

Integration of SMM Transfer Monitor It has been proven that Intel TXT can be subverted via certain specialized attacks against SMM mode. SecureView 2.0 will include a System Management Mode (SMM) Transfer Monitor (STM) A correct STM implementation can mitigate SMM attacks. Developed by Dell in collaboration with the NSA Available on select Dell system 1QCY12 38

Additional Vendor Support XenClient 1.x XenClient 2.0 39 39

Production Ready Synchronizer Enhanced scalability Enhanced single server scalability Automatic throttling of connections under heavy load Support for large complex AD environments with AD trust Accelerated and optimized image transfers and installs DVD/USB pre-caching Backup optimizations User profile virtualization and focused backup for static image mode Restore user profile with newer OS/Apps image Faster backups with less CPU overhead Smart filtering of page file, hibernate file, and unused data blocks 40 40

Production Ready Synchronizer Operational enhancements Enhanced XenClient device details, reporting, and filtering Revamped installation system Appliance operations console At a glance system configuration Simple configuration management Internet facing Synchronizer enhancements Separated Admin UI and Client Access Device, User, and Group removal 41 41

Simplified User Interfaces XenClient Receiver Revamped to be simpler and more responsive New per VM details view replaces advanced view VM hotkey switching OEM branding support Synchronizer Revamped assignment and policy wizard Simplified Operations console New device details view 42 42

Additional Enhancements Up to 8GB of memory per VM Support for Windows 7 SP1 32/64 Experimental support for Ubuntu 11.04 Improved integrated Windows 7 audio support 43 43

Secure Window Compositing NEAR TERM Combining application windows from multiple VMs into the same desktop display, adding colored borders Enabling seamless launch of applications running in different VMs Continue to prevent key logging FAR TERM: Use video overlays and secure compositing to prevent screen scraping/pixel injection while maintaining 3D performance (integrate NSA R23 SVP work) 44 44

Summary SecureView breaks new ground in client virtualization True type 1 hypervisor for robust isolation and performance Enhanced Isolation Pack meets government security criteria Open Source based More affordable More capable SecureView is available now NIST 800-53 Certified (ATO 25 Aug 2011) 45 45

Points of Contact Program Manager Dr. Ryan Durante, AFRL/RIEB 315.330.4004 ryan.durante@rl.af.mil Lead Engineer Steve Scheiderich, MicroQuest 315-330-4635 stephen.scheiderich.ctr@rl.af.mil Deputy Program Manager John Woodruff, AFRL/RIEB 315.330.7657 john.woodruff@rl.af.mil Xen Technical Lead Kevin Pearson, AFRL/RIEB 315-330-3202 Kevin.pearson@rl.af.mil NGMS Program Manager Steve Ochsner, NGMS 402.293.3988 steve.ochsner@ngc.com LPS Lead TJ Vestal, AFRL/RIG 315-330-7014 thomas.vestal@rl.af.mil 46 46

Q&A 47 47